Default Authorization Settings - User can join the tenant by email validation
Why This Matters
When email-verified users can join your tenant without approval, it creates an unmanaged directory entry point that bypasses your identity governance controls. This setting can lead to shadow tenants, unmanaged guest accounts, and potential data exposure if external users gain unintended access to resources. Malicious actors could exploit this to establish a foothold in your organization by simply verifying an email address.
What Aether365 Checks
This check verifies that the allowEmailVerifiedUsersToJoinOrganization setting in the Entra ID authorization policy is set to false. It appears in the Aether365 dashboard under entra-id checks with severity Medium.